Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the bundler group with 9 updates #47

Merged
merged 1 commit into from
Aug 22, 2024
Merged

Bump the bundler group with 9 updates #47

merged 1 commit into from
Aug 22, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 2, 2024

Bumps the bundler group with 9 updates:

Package From To
activestorage 7.0.4 7.0.8.1
actionpack 7.0.4 7.0.8.1
actionview 7.0.4 7.0.8.1
activerecord 7.0.4 7.0.8.1
activesupport 7.0.4 7.0.8.1
globalid 1.0.0 1.2.1
loofah 2.19.0 2.22.0
rack 2.2.4 2.2.9
rails-html-sanitizer 1.4.3 1.6.0

Updates activestorage from 7.0.4 to 7.0.8.1

Release notes

Sourced from activestorage's releases.

7.0.8.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix possible XSS vulnerability with the translate method in controllers

    CVE-2024-26143

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

... (truncated)

Commits
  • 506462a Preparing for 7.0.8.1 release
  • 030cd01 update changelog
  • 723f545 Merge pull request #48869 from brunoprietog/disable-session-active-storage-pr...
  • fc734f2 Preparing for 7.0.8 release
  • 3668b4b Preparing for 7.0.7.2 release
  • 2294b8b Bumping version
  • c92caef Preparing for 7.0.7.1 release
  • 936587d updating version / changelog
  • 522c86f Preparing for 7.0.7 release
  • 593893c Preparing for 7.0.6 release
  • Additional commits viewable in compare view

Updates actionpack from 7.0.4 to 7.0.8.1

Release notes

Sourced from actionpack's releases.

7.0.8.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix possible XSS vulnerability with the translate method in controllers

    CVE-2024-26143

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

... (truncated)

Commits

Updates actionview from 7.0.4 to 7.0.8.1

Release notes

Sourced from actionview's releases.

7.0.8.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix possible XSS vulnerability with the translate method in controllers

    CVE-2024-26143

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

... (truncated)

Commits
  • 506462a Preparing for 7.0.8.1 release
  • 030cd01 update changelog
  • fc734f2 Preparing for 7.0.8 release
  • 7d31cea Fix no _method input in form_for namespaced model
  • ed9f292 Merge tag 'v7.0.7.2' into 7-0-stable
  • 3668b4b Preparing for 7.0.7.2 release
  • 2294b8b Bumping version
  • 2766c93 Merge branch '7-0-sec' into 7-0-stable
  • c92caef Preparing for 7.0.7.1 release
  • 936587d updating version / changelog
  • Additional commits viewable in compare view

Updates activerecord from 7.0.4 to 7.0.8.1

Release notes

Sourced from activerecord's releases.

7.0.8.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix possible XSS vulnerability with the translate method in controllers

    CVE-2024-26143

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

... (truncated)

Commits
  • 506462a Preparing for 7.0.8.1 release
  • 030cd01 update changelog
  • fc734f2 Preparing for 7.0.8 release
  • 8db97a7 Fix change_column not setting precision for sqlite
  • ce75465 Merge pull request #48095 from ippachi/triple-dot-range-unscope
  • d1ac40c Merge pull request #48657 from alpaca-tc/fix-association-with-has-many-inversing
  • 164fcfd Merge pull request #48653 from alpaca-tc/fix-association-pretty-print
  • cdb6d89 Fix Compatibility tests using @internal_metadata
  • c1150f4 Merge pull request #49101 from xfifix/fix/sti_class_name
  • 729dfda Merge pull request #49089 from emilyqiu1005/emilyqiu/add-kill-to-mysql-read-q...
  • Additional commits viewable in compare view

Updates activesupport from 7.0.4 to 7.0.8.1

Release notes

Sourced from activesupport's releases.

7.0.8.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix possible XSS vulnerability with the translate method in controllers

    CVE-2024-26143

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

... (truncated)

Commits
  • 506462a Preparing for 7.0.8.1 release
  • 030cd01 update changelog
  • fc734f2 Preparing for 7.0.8 release
  • 7bf0e43 Fix TimeWithZone#to_s being overriden with ENV set
  • f5fd433 Document how to remove to_s deprecation warnings when defaul format is changed
  • ed9f292 Merge tag 'v7.0.7.2' into 7-0-stable
  • 3668b4b Preparing for 7.0.7.2 release
  • 2294b8b Bumping version
  • 2766c93 Merge branch '7-0-sec' into 7-0-stable
  • c92caef Preparing for 7.0.7.1 release
  • Additional commits viewable in compare view

Updates globalid from 1.0.0 to 1.2.1

Release notes

Sourced from globalid's releases.

1.2.0

What's Changed

New Contributors

Full Changelog: rails/globalid@v1.1.0...v1.2.0

1.1.0

What's Changed

New Contributors

Full Changelog: rails/globalid@v1.0.1...v1.1.0

v1.0.1

Possible ReDoS based DoS vulnerability in GlobalID

There is a ReDoS based DoS vulnerability in the GlobalID gem. This vulnerability has been assigned the CVE identifier CVE-2023-22799.

Versions Affected: >= 0.2.1 Not affected: NOTAFFECTED Fixed Versions: 1.0.1

Impact

There is a possible DoS vulnerability in the model name parsing section of the GlobalID gem. Carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.

... (truncated)

Commits
  • 488ab6c Prepare for 1.2.1
  • 0f585e9 Whitespaces
  • 626a342 Merge pull request #168 from ghiculescu/handle-no-primary-key
  • 759d1eb Don't break on models where primary_key is not defined
  • 27dff72 Prepare for 1.2.0
  • 4ec9833 Merge pull request #165 from rails/rm-json-serializer
  • d371dd1 Change verifier to conform Rails 7.1 API
  • b73e5f9 Remove deprecation when default cache format is used
  • 5246758 Make sure legacy verifier behavior work with JSON serializer and symbol values
  • 2fab171 Update the ruby extension to use Ruby LSP
  • Additional commits viewable in compare view

Updates loofah from 2.19.0 to 2.22.0

Release notes

Sourced from loofah's releases.

2.22.0 / 2023-11-13

Added

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

2.21.2 / 2023-05-11

Dependencies

  • Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

  • Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Changelog

Sourced from loofah's changelog.

2.22.0 / 2023-11-13

Added

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

Fixed

2.21.2 / 2023-05-11

Dependencies

  • Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

  • Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Commits
  • cb14ea7 version bump to v2.22.0
  • 64e0a26 update CHANGELOG
  • c5cfb80 Merge pull request #277 from wynksaiddestroy/feature/noreferrer_scrubber
  • 4ad2e13 Add noreferrer scrubber
  • 5345bb7 Merge pull request #275 from hexdevs/add-target-blank-scrub
  • 09e11ad feat: adds :targetblank scrubber
  • 992b054 version bump to v2.21.4
  • 5d9a22f Merge pull request #273 from flavorjones/flavorjones-css-whitespace-handling
  • 876116e fix: scrub_css is more consistent with whitespace
  • edde5f2 Merge pull request #274 from flavorjones/flavorjones-bump-hoe-markdown
  • Additional commits viewable in compare view

Updates rack from 2.2.4 to 2.2.9

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

New Contributors

Full Changelog: rack/rack@v2.2.7...v2.2.8

v2.2.7

What's Changed

New Contributors

Full Changelog: rack/rack@v2.2.6.4...v2.2.7

v2.2.6.4

No release notes provided.

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

Added

Changed

Deprecated

  • Rack::Auth::AbstractRequest#request is deprecated without replacement. (#2229, [@​jeremyevans])
  • Rack::Request#parse_multipart (private method designed to be overridden in subclasses) is deprecated without replacement. (#2229, [@​jeremyevans])

Removed

[3.1.7] - 2024-07-11

Fixed

[3.1.6] - 2024-07-03

Fixed

  • Fix several edge cases in Rack::Request#parse_http_accept_header's implementation. (#2226, [@​ioquatix])

[3.1.5] - 2024-07-02

Security

[3.1.4] - 2024-06-22

Fixed

... (truncated)

Commits

Updates rails-html-sanitizer from 1.4.3 to 1.6.0

Release notes

Sourced from rails-html-sanitizer's releases.

1.6.0 / 2023-05-26

  • Dependencies have been updated:

    • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
    • As a result, required Ruby version is now >= 2.7.0

    Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

    Mike Dalessio

  • HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

    • Rails::HTML5::FullSanitizer
    • Rails::HTML5::LinkSanitizer
    • Rails::HTML5::SafeListSanitizer

    And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

    Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

    Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

    Mike Dalessio

  • Module namespaces have changed, but backwards compatibility is provided by aliases.

    The library defines three additional modules:

    • Rails::HTML for general functionality (replacing Rails::Html)
    • Rails::HTML4 containing sanitizers that parse content as HTML4
    • Rails::HTML5 containing sanitizers that parse content as HTML5

    The following aliases are maintained for backwards compatibility:

    • Rails::Html points to Rails::HTML
    • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
    • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
    • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

    Mike Dalessio

  • LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

1.6.0 / 2023-05-26

  • Dependencies have been updated:

    • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
    • As a result, required Ruby version is now >= 2.7.0

    Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

    Mike Dalessio

  • HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

    • Rails::HTML5::FullSanitizer
    • Rails::HTML5::LinkSanitizer
    • Rails::HTML5::SafeListSanitizer

    And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

    Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

    Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

    Mike Dalessio

  • Module namespaces have changed, but backwards compatibility is provided by aliases.

    The library defines three additional modules:

    • Rails::HTML for general functionality (replacing Rails::Html)
    • Rails::HTML4 containing sanitizers that parse content as HTML4
    • Rails::HTML5 containing sanitizers that parse content as HTML5

    The following aliases are maintained for backwards compatibility:

    • Rails::Html points to Rails::HTML
    • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
    • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
    • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

    Mike Dalessio

  • LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Commits
  • 19fd6cd version bump to v1.6.0
  • a9b2f1e doc: update CHANGELOG and README with supported branch info
  • ca29c20 doc: update README moving verbose notes after usage
  • 3b31be5 version bump to v1.6.0.rc2
  • b98af6c Merge pull request #167 from rails/flavorjones-best-supported-vendor-method
  • e953444 feat: introduce Rails::HTML::Sanitizer.best_supported_vendor
  • 5419017 version bump to v1.6.0.rc1
  • 669dcd0 doc: update CONTRIBUTING with release process
  • cd77210 Merge pull request #166 from rails/flavorjones-update-deps-for-html5-variation2
  • 7cc07bb dep: update loofah and nokogiri to versions fully supporting HTML5
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the bundler group with 9 updates
037b73e 
Bumps the bundler group with 9 updates:

| Package | From | To |
| --- | --- | --- |
| [activestorage](https://github.com/rails/rails) | `7.0.4` | `7.0.8.1` |
| [actionpack](https://github.com/rails/rails) | `7.0.4` | `7.0.8.1` |
| [actionview](https://github.com/rails/rails) | `7.0.4` | `7.0.8.1` |
| [activerecord](https://github.com/rails/rails) | `7.0.4` | `7.0.8.1` |
| [activesupport](https://github.com/rails/rails) | `7.0.4` | `7.0.8.1` |
| [globalid](https://github.com/rails/globalid) | `1.0.0` | `1.2.1` |
| [loofah](https://github.com/flavorjones/loofah) | `2.19.0` | `2.22.0` |
| [rack](https://github.com/rack/rack) | `2.2.4` | `2.2.9` |
| [rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer) | `1.4.3` | `1.6.0` |


Updates `activestorage` from 7.0.4 to 7.0.8.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v7.1.3.4/activestorage/CHANGELOG.md)
- [Commits](rails/rails@v7.0.4...v7.0.8.1)

Updates `actionpack` from 7.0.4 to 7.0.8.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v7.1.3.4/actionpack/CHANGELOG.md)
- [Commits](rails/rails@v7.0.4...v7.0.8.1)

Updates `actionview` from 7.0.4 to 7.0.8.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v7.1.3.4/actionview/CHANGELOG.md)
- [Commits](rails/rails@v7.0.4...v7.0.8.1)

Updates `activerecord` from 7.0.4 to 7.0.8.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v7.1.3.4/activerecord/CHANGELOG.md)
- [Commits](rails/rails@v7.0.4...v7.0.8.1)

Updates `activesupport` from 7.0.4 to 7.0.8.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v7.1.3.4/activesupport/CHANGELOG.md)
- [Commits](rails/rails@v7.0.4...v7.0.8.1)

Updates `globalid` from 1.0.0 to 1.2.1
- [Release notes](https://github.com/rails/globalid/releases)
- [Commits](rails/globalid@v1.0.0...v1.2.1)

Updates `loofah` from 2.19.0 to 2.22.0
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md)
- [Commits](flavorjones/loofah@v2.19.0...v2.22.0)

Updates `rack` from 2.2.4 to 2.2.9
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@2.2.4...v2.2.9)

Updates `rails-html-sanitizer` from 1.4.3 to 1.6.0
- [Release notes](https://github.com/rails/rails-html-sanitizer/releases)
- [Changelog](https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md)
- [Commits](rails/rails-html-sanitizer@v1.4.3...v1.6.0)

---
updated-dependencies:
- dependency-name: activestorage
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: actionpack
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: actionview
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: activerecord
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: activesupport
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: globalid
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: loofah
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rack
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rails-html-sanitizer
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Aug 2, 2024
@dependabot dependabot bot mentioned this pull request Aug 2, 2024
Closed
@G-Rath G-Rath merged commit 2fa127f into main Aug 22, 2024
1 of 2 checks passed
@G-Rath G-Rath deleted the dependabot/bundler/bundler-f4677acb5f branch August 22, 2024 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@G-Rath